The Australian government has thumbed its nose at legal safeguards for ethical hackers, according to a report from SC Magazine.

University of New South Wales security researcher Alana Maurushat on Thursday told the magazine’s “Security on the Move” conference that she and other industry professionals had gone out of their way to submit proposals for recent reviews of Australia’s cybercrime laws, but the government decided to reject them all.

“They asked me to make submissions; I said I couldn’t do it,” SC Magazine quoted her as saying. “They gave me extensions, so I went out of my way and took two days off, as many [industry professionals] may have, and they did not take on one suggestion in two years – disgusting.”

The government’s reaction “infuriates me to no end,” she said, noting that she and “many others” argued that Australia requires a “security research exemption” because the law “does not distinguish the motivation for hacking.”

Ms. Maurushat pointed to the case of OSI Security researcher Patrick Webster, who was thanked for his bug-finding by being slapped with legal and financial threats.

As you might recall, Mr. Webster, an Australian researcher, found a gaping, trivially exploitable hole in the security of his investment fund, First State Superannuation. If you’ll pardon me, I’m going to steal an image from a commenter when I say that this flaw didn’t just represent low-hanging fruit; it represented fruit dragging on the ground.

To wit: Mr. Webster found an instance of direct object reference, wherein other members’ statements could be accessed by changing a single digit in the displayed browser URL. This security hole ranks at #4 on OWASP’s top 10 list of application security risks.

For his efforts to responsibly alert First State Superannuation, the financial firm slapped Mr. Webster with legal threats, demands that he turn over his computer, and notice that he might be billed for the bug he himself had uncovered.

I was relieved to learn that, in light of more or less scathing media coverage, First State Superannuation soon backed off its threats. The company issued a statement to the effect that although they perceived Mr. Webster’s actions to be alarming and naughty, it was, in light of his cooperation and compliance in destroying sensitive downloaded materials, letting him go free.

"First State Superannuation appreciates that the actions of the person involved has allowed us to address an undetected weakness in our online security. Subject to his compliance and cooperation in ensuring that the unauthorised statements he downloaded have been destroyed, we have no intention of taking any other action against him."

“Well, that’s a relief,” I thought when I heard of First State dropping the charges. “Now I can stop making fun of Australia suffering from some type of Coriolis effect that caused justice to flow backwards.”

After all, I was just teasing when I said that. I well know that the complexities and inadequacies of disclosure law cause justice to flow backwards equally in both hemispheres.

But this latest news, of Australia developing some odd form of narcolepsy when it comes to reforming disclosure policies, makes me wonder if, in fact, something is up down under.

According to SC Magazine, Ms. Maurushat is now taking the same ethical hacking standards spurned by Australia to the Canadian Government. She said that she hoped the effort will pay off within three years, making Canada the first country to adopt such safeguards.

Godspeed.

In the meantime, here in the US we have the SCADA hack with its subsequent flaw disclosure by the responsible parties.

Soon after Sophos’s Chester Wisniewski wrote about the incident, hacker pr0f contacted him, giving Wisniewski a chance to ask, “What change could be made to the Computer Fraud and Abuse Act to encourage responsible disclosure of security flaws and unprotected systems?”

It should be “a matter of intent and actual damage caused,” the hacker responded. “Shutting one of these down is obviously a crime. Finding one and accessing it out of curiosity, then exposing how insecure it is responsibly, should perhaps be treated a lot more leniently.”

At the very minimum, nation-states must acknowledge that these issues are not black and white. Hackers range from white to gray to black, and the responsibility with which they disclose bugs varies as well.

Their vested interest in exposing flaws varies from individual to individual, but obviously, there are many white-hat hackers out there who deserve more than a set of blanket laws that call for their arrest and prosecution.

Post navigation

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

8 comments on “Safeguards for ethical hackers spurned by Australian government”

it’s becoming increasingly difficult to credit the apparent stupidity and hypocrisy of governments worldwide on issues of cyber security these days. surely, they can’t really be as wilfully ignorant as they appear – can they?

there’s a critical mass of evidence that’s pulling towards only one credible reason: governments everywhere, from North Korea, China & Iran to Australia, the UK and the good ol’ US of A, are all terrified of the internet. this is exactly analogous to the reaction of the church and states to the advent of the printing press in 15th Century Europe: they knew that society was irrevocably changing and that the balance of power was shifting out of the hands of the aristocracy as information became available to all on a massive, unprecedented scale.

we’re seeing the same thing now. western democratic governments have seen the Arab Spring, they’ve experienced Wikileaks – and now they’re shitting themselves. they use IP and child-porn as a smokescreen, with ACTA, PROTECT-IPA and SOPA. but the reality is they’re losing control and they’re ready to do anything to keep hold of it. the internet scares them: they want to privatise, censor and control it. but it’s too late. Berners-Lee has done what Gutenberg did – the world is changing. they can run interference, slow things down and crack heads, but no government can ever really stop it now.

Your post identifies the root of the problem–namely, the institutionalization of the state as an entity that serves its own purposes rather than serving the (ostensible) purpose for which it was created—the real purpose of government. That purpose, of course, is to protect the lives, property, and interests of its citizens.

Nowhere has that purpose become more insidiously thwarted than in the good ol' US of A, wherein the nearly universal myth that we are "free" because we have the ability to choose our tyrants maintains the fraud that we have real government. What we actually have, as you correctly point out, is an elected aristocracy masquerading as democracy.

It is the nature of aristocracy to want to protect its privileges. So yes, they're getting desperate. As they see their control of citizens eroding, they impose increasingly restrictive laws (like SOPA), dressed up with a thin veil of sanctimony.

They must assume that everyone else is as idiotic as they are if they think no one can see through that veil. OF COURSE no one should steal others' ideas or creative work. OF COURSE no one should molest children. But the presumption that depriving people of their liberty to do good things will somehow prevent scumbags from doing bad things is the same broken anti-logic that the political aristocracy has used to justify the entrenchment of its privileges all along.

"Throwing out the bums" is no solution. There will just be new bums to take their places. It's the political system itself that is corrupt, and it necessarily corrupts anyone who participates in it.

What people don’t seem to understand is that whatever system one person can breach, another person can usually do the same job just as well.
There are thousands of services out there dedicated to sharing knowledge about how to break into systems. True, most of them are amateur level and not particularly advanced, but most exploits are amateur level and not particularly advanced; the Advanced Persistent Threat is a fairytale used to justify why some Fortune 500 sysadmin didn’t notice a slightly modified circa 2005 trojan on their network, which got past their highly expensive corporate firewall when Bob opened a malicious pdf called EMPLOYEE_WAGES with an Adobe Reader that hadn’t been updated since 2007.
Anyway, I digress. I wonder how many people contacted Sony about their website issues before LulzSec et al came along, and got ignored.
I wonder how many people siphoned personal data from Sony before LulzSec et al came along.

Hackers aren’t the issue, the issue is that Management don’t care about people’s security because Management only see computers as magical boxes that hold spreadsheets, while criminals, the actual organized kind, do want to steal people’s personal data and use it for grand identity theft. Or kids want to rm everything on a server just for kicks.

I’m not the most ethical person. I won’t lie; I get a kick from illuminating stupidity, which is not necessarily an admirable thing. But I don’t card. I don’t commit identity theft. I don’t sell people’s data on underground markets.
I don’t know about you, but I’d rather have someone like me post my data on the net so I can find out about it and change it. And if it was up to me, I’d rather they didn’t receive ten years in prison for trying to help
Just my two cents, though, and as I’ve said before, I’m biased.

I agree that some provision or guideline to provide a degree of protection to whistleblowers. How would you practice such a thing though ? Would Security researchers require a license ? Would you be required to report a fault in the protection of private information to the police first ? How would you prevent it being used as a 'get out of jail free card' ?

As far as I am aware, equivalent crimes in the physical realm do not contain provisions for researchers to break the law without oversight.

In any case, we might be better off having the ground rules for this being set in a court of law, with an independent jury and expert debate, rather than in parliament with politics being involved.

Michael, I agree that oversight is necessary, but it seems to me that congregating a panel of security experts was exactly the right approach. What baffles me is why whoever was running the Australian legal reviews then ignored the input from all those experts. I'd love to know what the security people recommended and the rationale for the government to reject those recommendations.

Continues bureaucrat Ferris: "Did you really think that we want those laws to be observed? We want them broken. You'd better get it straight that it's not a bunch of boy scouts you're up against . . . We're after power and we mean it. You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Rearden, and once you understand it, you'll be much easier to deal with."
Ayn Rand – Atlas Shrugged

This is exactly why governments have been churning out more and more laws over the last century [Frederick Mann: Obfuscation of meaning is a key element of the con games bureaucrats and politicians play.]